Here’s the latest on the Facebook hack that compromised 30 million user accounts, down from the original estimate of 50 million. Three vulnerabilities in Facebook’s “View as” feature, which allows users to see their profiles as other users would see it, existed since July 2017. Facebook noticed an increase is suspicious activity on Sept. 14, 2018. They identified the issues and the resulting data breach on Sept. 25.

The vulnerabilities at the core of the breach allowed users to steal tokens that could be used to access user accounts. The attackers, whose identity and motivations are being kept confidential while an FBI investigation continues, used established accounts to steal account tokens from friends, friends of friends and beyond.

Using automation, the attackers quickly took control of more than 400,000 accounts and replicated what users would see when viewing the compromised profiles. They were able to see and steal virtually any user information included in a profile, such as the user’s name, contact information, email address, date of birth, education, work history, friends, groups, photos, instant message contacts, and check-in locations. Approximately 14 million of the 30 million affected users had “extensive” personal information stolen.

Facebook claims it hasn’t seen evidence of stolen information being misused or appearing on the dark web. However, there’s a chance that the three vulnerabilities have been used to carry out attacks that have yet to be detected.

Affected users have every right to be concerned because there is the very real potential for cybercrime resulting from the Facebook hack. Stolen data could be used for identity theft, to access financial accounts and medical records, or to execute spear-phishing attacks. When hackers can leverage personal information to fool victims, attacks become that much more dangerous. Also, many online platforms encourage users to log in using their Facebook accounts. Users with hacked Facebook accounts risk having other linked accounts attacked.

These risks aren’t limited to individual users. Hackers could shift the focus of their criminal activity to the employers of affected users, which is why organizations should be educating employees about the Facebook hack as part of a formal security awareness trainingprogram. If a Facebook account is compromised, the hacker knows where the user works or could find out fairly easily. They could use this information to make phishing emails more believable, pretending to be someone’s boss or co-worker to convince people to hand over credentials or sensitive data.

In a recent LogMeIn survey, 62 percent of respondents said they use the same password for work and personal accounts – even though 91 percent understand the risks. More than half haven’t changed their passwords in the last 12 months. Hackers could use the information gained from a personal Facebook account to figure out business credentials and gain access to corporate networks.

There are a number of steps organizations can take to reduce risk, such as adopting multifactor authentication, implementing a robust password policy and applying password encryption. Let ICG help you determine what strategy makes the most sense for your organization and develop an effective security awareness training program.